In a world of ever-increasing information, security requirements and regulations, companies must manage a complex compliance environment that has resulted in a multitude of linked processes. The primary driver of all of these requirements and regulation is the mitigation of risk and the threat of a security breach.
The unintended result of these actions has been a proliferation of regulation and requirements that creates multiple, and often times redundant, work that you must complete.
Examples of some (not intended to reflect the entire list) of the current regulations in place are:
- E-Discovery Legislation in effect December 31, 2006
- FTC regulations for GLBA, COPPA and Fair Information Practices
- European Union Data Protection Directive or the US Safe Harbor
- (SOX) Sarbanes Oxley Act of 2002
- (HIPAA) Healthcare Insurance Portability and Accountability Act
- Breach notification statutes, now in over 35 states
- (PCI) Payment Card Industries Data Security Standard
All the items on this list require companies to address one or more aspects of ensuring and demonstrating the confidentiality, integrity or availability of information, whether in paper or electronic form and in some cases even the spoken word. In many instances multiple requirements are imposed on a single company. The regulators, in many cases, do not offer guidance on which set of rules and acts should be followed, nor do they provide much guidance.
Well intended companies sometimes find themselves creating an incredibly strong "technology" approach that results in false sense of security. Companies that take this approach employ hard-core technology on the outside; firewalls, penetration testing, passwords, segmentation, etc. Unfortunately, they have little or no controls governing the "low tech" information flows within the organization's walls (paper, spoken word etc.). They tend to have no formal programs and controls related to: lack training and awareness, classification of information, incident management, and so on). Another risk that companies face is that individual silos in the company have created their own (sometimes redundant, sometimes conflicting) security processes.
To avoid these issues, you should strongly consider the adoption of visionary security standards, such as ISO/IEC 27001that provide a foundation and management system guidance allowing organizations to structure a process that eliminates the silos and allows the organization to implement once while complying with many regulations. This approach is based on the strong, time tested methodology that drives all ISO standards and by definition is global and "certifiable." The importance of being "certified" by a third party indicates that prudence was taken on your part and that your approach has met "global requirements."
ISO 27001 promotes the adoption of a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's information security management system (ISMS). This includes all information not just the management of an "IT" system.
Your compliance program must be risk-based, managed and treated as a living process that is constantly analyzed and improved. Many of the international standards promote this approach through what is called the "process approach" or "Plan Do Check Act (PDCA)" model.
Simplified for this article, the four-step continuous improvement process is explained in the ISO 27001 Standard as:
*Plan (establish the ISMS). Establish ISMS policy, objectives, processes and procedures relevant to managing risk (identifying the vulnerabilities and threats that exist and establishing controls as outlined in the standard) and improving information security to deliver results in accordance with an organization's overall policies and objectives.
*Do (implement and operate the ISMS). Implement and operate the ISMS policy, controls, processes and procedures.
*Check (monitor and review the ISMS). Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience, and report the results to management for review.
*Act (maintain and improve the ISMS). Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
As security professionals, it is clearly in our best interest to promote one, international standard or we will ultimately be dealing with multiple, redundant and even conflicting processes.
Gary Pearsons is currently the President of BSI Management Systems Americas, Inc.
